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Abstract. We introduce a novel variant of logical relations that maps types not 
merely to partial equivalence relations on values, as is commonly done, but rather 
to a proof-relevant generalisation thereof, namely setoids. The objects of a setoid 
establish that values inhabit semantic types, whilst its morphisms are understood 
as proofs of semantic equivalence. 

The transition to proof-relevance solves two well-known problems caused by the 
use of existential quantification over future worlds in traditional Kripke logical 
relations: failure of admissibility, and spurious functional dependencies. 
We illustrate the novel format with two applications: a direct-style validation 
of Pitts and Stark's equivalences for "new" and a denotational semantics for a 
region-based effect system that supports type abstraction in the sense that only 
externally visible effects need to be tracked; non-observable internal modifica- 
tions, such as the reorganisation of a search tree or lazy initialisation, can count 
as 'pure' or 'read only'. This 'fictional purity' allows clients of a module soundly 
to validate more effect-based program equivalences than would be possible with 
traditional effect systems. 



1 Introduction 

The last decade has witnessed significant progress in modelling and reasoning about 
the tricky combination of effects and higher-order language features (first-class func- 
tions, modules, classes). The object of study may be ML-, Java-, or assembly-like, but 
the common source of tiickiness is the way effectful operations may be partially en- 
capsulated behind higher-order abstractions. Problems in semantics and verification of 
effectful languages are often addressed using a range of common techniques that in- 
cludes separation and Kripke logical relations (KLRs). The particular problem motivat- 
ing the development of the proof -relevant form of KLR introduced here is that of giving 
a semantics to effect systems that accounts for partial encapsulation, though the general 
construction is more broadly applicable. As we will see, direct semantic reasoning in 
our model (as opposed to generic reasoning based on refined types) also allows many 
of the trickiest known equivalences concerning encapsulated store to be proved. 

Effect systems fT6l refine conventional types by tracking upper bounds on the side- 
effects of expressions. A series of papers, by ourselves and others [19 5 4 6 30|, have 
explored the semantics of effect systems for mutable state, addressing not merely the 
correctness of analyses, but also the soundness of effect-dependent optimizations and 
refactorings. An example is the commutation of stateful computations M and A^, sub- 
ject to the condition that the sets of storage locations potentially written by M and are 
disjoint, and that neither potentially reads a location that the other writes. Our primary 
interest is not syntactic rules for type assignment, but rather semantic interpretations 



of effect-refined types that can justify such equivalences. Types provide a common in- 
terface language that can be used in modular reasoning about rewrites; types can be 
assigned to particular terms by a mixture of more or less sophisticated inference sys- 
tems, or by deeper semantic reasoning. 

A key notion in compositional reasoning about state is that of separation: invari- 
ants depending upon mutually disjoint parts of the store. Intuitively, if each function 
with direct access to a part preserves the corresponding invariant, then all the invariants 
will be preserved by any composition of functions. Disjointness is naively understood 
in terms of sets of locations. A memory allocator, for example, guarantees that its own 
private datastructures, memory belonging to clients, and any freshly-allocated block 
inhabit mutually disjoint sets of locations. Since the introduction of fractional permis- 
sions, separation logics often go beyond this simple model, introducing resources that 
are combined with a separating conjunction, but which are not literally interpreted as 
predicates on disjoint locations. Research on 'domain-specific' ||20| . 'fictional' B13I18I . 
'subjective' (22], or 'superficial' f2T\ separation aims to let custom notions of sepa- 
rable resource be used and combined modularly. This paper presents a semantics for 
effect systems supporting fictional, or 'abstract', notions of both effects and separation. 

We previously interpreted effect-refined types for stateful computations as binary 
relations, defined via preservation of particular sets of store relations. This already pro- 
vides some abstraction. For example, a function that reads a reference, but whose result 
is independent of the value read can soundly be counted as pure (contrasting with mod- 
els that instrument the concrete semantics). Our models also validated the masking rule, 
allowing certain non-observable effects not to appear in annotations. But here we go fur- 
ther, generalizing the interpretation of regions to partial equivalence relations (PERs). 
This allows, for example, a lookup function for a set ADT to be assigned a read-but- 
not-write effect, even if the concrete implementation involves non-observable writes to 
rebalance an internal datastmcture. Roughly, there is a PER that relates two heaps iff 
they contain well-formed datastructures representing the same mathematical set, and 
the ADT operations respect this PER: looking up equal values in related heaps yields 
equal booleans, adding equal values in related heaps yields new related heaps, and so 
on. A mutating operation need only be annotated with a write effect if the updated heap 
is potentially in a different equivalence class from the original one. In fact, we further 
improve previous treatments of write effects, via a 'guarantee' condition that explic- 
itly captures allowable local updates. Surprisingly, this allows the update and remove 
operations for our set ADT to be flagged with just a write effect, despite the fact that 
the final state of the set depends on the initial one, exploiting the idempotence of the 
updates and validating many more useful program transformations. 

Moving to PERs also allows us to revisit the notion of separation, permitting distinct 
abstract locations, or regions, to refer to PERs whose footprints overlap, albeit non- 
observably, in memory. A module may, for example, implement two distinct logical 
references using a single physical location containing a coding (e.g. 2'3-') of a pair 
(i, j) of integers. Or a resource allocator can keep logically separated tokens tracking 
each allocated resource, acting as permissions for deallocation, in a shared datastructure 
such as a bitmap or linked list (a well-known problem in modular separation |21 1). The 
innovation here is a notion of independence of PERs, capturing the situation where 
intersection of PERs yields a cartesian product of quotients of the heap. 
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The ideas sketched above are intu- ^j^q-^^ ^ QPER{[{fJ') | h, h' N w ^ 
itively rather compelhng, but formally y/j g .^^ (^y) hRW ^ hj/^h' A 
integrating them into the form of KLR ^^^^^^ ^ ^ r G als(e)) Ahi,h'Nw®w,A 

we had previously used for effect sys- 1^ k,/ a / '\ ^ ^ 
tems turns out to be remarkably hai-d. ^j^^^.^ ^^^^^^ ^ ^ ^ f,^,^-^ 

Figure [T] shows a (tweaked) extract from 

an earlier paper [4 ]. Here a world W is ^'g- 1- Earlier Kripke logical relation, extract 
just a finite partial bijection between locations, with region-coloured links; h, h' [= w 
simply means that for each link (1, 1') e w, I e dom(h) and 1' e dom(h'). Two compu- 
tations /, /' : H ^ H X V, where H, V are sets of heaps and values, respectively, are 
in the relation {TeQ)w, where s is an effect and the relation Q interprets a result type, if 
they preserve all heap relations /? in a set depending on s and w, and there exists some 
disjoint world extension Wi such that the new heaps are equal on the domain of Wi, and 
the result values are Q-related at the extended world w (g) Wi. 

The problematic part is the existential quantification over world extensions - the 
3wi on the third line - allowing for the computations to allocate fresh locations. This 
pattern of quantification occurs in many accounts of generativity, but the dependence of 
Wi on both h and h' creates serious problems if one generalizes from bijections to PERs 
and tries to prove equivalences. Roughly, one has to consider varying the initial heap 
in which one computation, say /', is started; the existential then produces a different 
extension W2 that is not at all related, even on the side of / where the heap stays the 
same, to the Wi with which one started. The case of bijections, where hi depends only 
on h (not on h'), allows one to deduce sufficient information about the domain of Wi 
from the clause hi, h'^ |= w <8i Wi, but this breaks down in the more abstract setting. 

To fix this problem, we here take the rather novel step of replacing the existential 
quantifier in the logical relation by appropriate Skolem functions, explicitly enforcing 
the correct dependencies. In the language of type theory, this amounts to replacing an 
existential with a 2'-type. A statement like (/,/') e rgUA]] is no longer just a proposi- 
tion, but we rather have a "set of proofs" TglA ]](/, /') which in particular contains the 
aforementioned Skolem functions. We use an explicit version of the exact-completion 
II 10181 akin to and motivated by "setoid" or groupoid interpretations of type theory 
II17I3I33I to make these ideas both rigorous and more general. 

Passing from relations to proof-relevant setoids also solves other problems. Existen- 
tial quantification fails to preserve admissibility of relations, needed to deal with general 
recursion, and also fails to preserve 'PERness'. The 'QPER(-y operation in Figure [T] 
explicitly applies an admissible and (variant) PER closure operation; this works tech- 
nically, but is very awkward to use. We do not need such a closure here. Step indexing 
[2 30 1 and the use of continuations |27| can also deal with admissibility. However, step- 
indexing is inherently operational, whilst continuations lose sufficient abstraction to 
break some program equivalences, including commuting computations. Our third way, 
using setoids, is pleasantly direct. Finally, allocation effects are handled differently from 
reading and writing by the relation in Figure[T] being wired into the quantification rather 
than treated more abstractly by relation preservation. Our setoid-based formulation uses 
uniform machinery to treat all effects. 

We start by reviewing some preliminary definitions on syntax and semantics of 
programs in Section |2] Section |3] introduces setoids, which is the setting in which we 
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specify in Section|4]the typed semantics and introduce the notion of abstract effects. In 
Section |5] we describe proof-relevant logical relations, prove the fundamental theorem 
and define observational equivalence. Section |6] demonstrates a number of program 
equivalences that can be shown by using proof-revelant logical relations. We conclude 
and discuss future work in Section |7] 

Note: We have elided many proofs, details of constructions and examples. This longer 
version of the paper includes some of this material in an appendix. 

2 Syntax and Semantics 

We will interpret effect-refined types over a somewhat generic, untyped denotational 
model for stateful computations in the category of predomains (w-cpos). We also in- 
troduce a meta-language |24|, providing concrete syntax for functions in the model. 
We omit the standard details of interpreting CBV programming languages via such a 
metalanguage, or proofs of adequacy, relating the operationally induced observational 
(in)equi valence to (in)equality in the model. 

Denotational model We assume predomains V and H modelling values and heaps, 
respectively. As much of the metatheory does not rely on the finer details of how 
these predomains are defined, we axiomatise the properties we use. Firstly, we as- 
sume the existence of a set of (concrete) locations L and for each h 6 H a finite set 
dom(h) c L. We also assume a constant e H, the empty heap. If h E H, I € dom(h), 
then h(l) e V. If v E V, h e H, I E dom(h) then h[li-^v] e H; finally new{h,v) yields 
a pair (I, h') where I E L and h' E H. These three operations are continuous, in par- 
ticular, h < h' ^ dom(h) c dom(h') and the following axioms hold: dom(0) - 0, 
dom(h[lMv]) = dom(h), (h[li-^v])(l') = if\ = I' then v else h(l'), and if new(h, v) = (I, h') 
then dom(h') = dom(h)U{l) and I i dom(h) and h'(l) - v. Given V this abstract datatype 
can be implemented in a number of ways, e.g., as finite maps. We define the domain of 
computations C to be partial continuous functions from H to H x V, the bottom element 
being the everywhere undefined function. 

We assume that V embeds tuples of values, i.e., if vi , . . . , v„ E V then (vi, . . . , v„) £ 
V and it is possible to tell whether a value is of that form and in this case to retrieve the 
components. We also assume that V embeds continuous functions f : Y —> C, i.e., if 
/ is such a function then/M«(/) E V and, finally, locations are also values, i.e. if I E L 
then loc(\) e V and one can tell whether a value is a location or a function. A canonical 
example of such a V is the least solution to the predomain equation with C = H ^ Hx V 
and V ^ int(Z) +fun(Y ^ C) + loc(L) + V*. 
Syntax The syntax of untyped values and computations is: 

V ::= X I I c I (vi,V2) | v.l | v.2 | rec /x = t 

t ::= V I let x<=fi inf2 I V] V2 I if V then fi else f2 I'v | vi := V2 | re£(v) 
Here, x ranges over variables and c over constant symbols, each of which has an asso- 
ciated interpretation \\c\\ £ V; these include numerals n with [[nj| = intin), arithmetic 
operations and so on. rec f x - t defines a recursive function with body e and re- 
cursive calls made via /; we use Ax.t as syntactic sugar in the case when / i fv{t). 
Finally, !v (reading) returns the contents of location v, vi :- \'2 (writing) updates lo- 
cation vi with value V2, and ref(y) (allocating) returns a fresh location intialised with 
V. The metatheory is simplified by using "let-normal form", in which the only elimina- 
tion for computations is let, though we sometimes nest computations as shorthand for 
let-expanded versions in examples. 
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Semantics The untyped semantics of values \\v^ e V ^ V and terms \\fW e V ^ C are 
defined by an entirely standard mutual induction, using least fixed points to interpret 
recursive functions, projection from tuples for variables and so on. 

Types Types are given by the grammar: t ::- unit | int | A | ti x T2 | ti — > T2, 
where A ranges over semantically defined basic types (see Def. [TTl. These contain ref- 
erence types possibly annotated with regions and abstract types like lists, sets, and even 
objects, again possibly refined by regions. The metavariable s represents an effect, that 
is a subset of some fixed set of elementary effects about which we say more later The 
core typing rules for values and computations are shown in Figure |2] We do not bake 
in type rules for constants and effectful operations but, for a given semantic interpre- 
tation of types, we will be able to justify adding further rules for these primitives and, 
more importantly, for more complex expressions involving them. (The rules given here 
incorporate subeffecting; we expect our semantics to extend to more general subtyping.) 
Equations Figure|3]outlines a core equational theory for the metalanguage. The full the- 
ory includes congruence rules for all constructs (like that given for rec), all the usual 
beta and eta laws and commuting conversions for conditionals as well as for let. We 
give a semantic interpretation of typed equality judgements which is sound for observa- 
tional equivalence. As with typings, further equations involving effectful computations 
may be justified semantically in a particular model and added to the theory. The core 
theory then allows one to deduce new semantic equalities from already proven ones. 
The equations are typed: a derivation D of F \- t - f : t & s is canonically associated 
with typing derivations D. 1 and D.2 of F \- t : t & s and F \- t' : t & s, respectively 
(but note we can semantically justify extending the type rules). The interpretation of D 
will be a proof object certifying that the interpretations of D.l and D.2 are semantically 
equal which then implies (Theorem|3]l typed observational equivalence of f and t' . 



F \- V : T F b e : T & E[ ei Q E2 F \- v : T[ x T2 



F \- n: int F,x -.t \- x : r T t- v : t & F \- e : t 8l E2 F \- v.i -.Ti 

F h v\ : Ti T2 F h V2 '■ Ti F h V : int F \- : t &. e F h 62 : t &. b 

F \- v\ V2 : T2 & E F \- {) : unit F \- iiv then e\ else €2 : r &. e 

r . r . r . sr. e F, f:T< — > Tt, x:T, h e : Tt &. E 

£ 

r H (vi, V2) : Ti X T2 r h let x«=ei in 62 : T2 & £ F \- rec f x = e : ti T2 

Fig. 2: Core rules for effect typing 



2.1 Some example programs 

Dummy allocation Define dummy as ^Af.Ax.let d <^ ref (0) in / jc], so dummy(f) be- 
haves like / but makes an allocation whose result is discarded. We will be able to show 
that dummyif) displays no more abstract effects than /, so that whatever program trans- 
formation / can participate in, dummy{f) can as well. 
Memoisation Let memo be the memoizing functional 
[/l/.let X <= ref (0) in let y <;= ref (/ 0) in 
/la. if eq a \x then \y else let r<= f ainx :- a;y :- r; rj 
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r h f : T & a r \- t = f : T &E f i- t = f : t &e r \- t' = t" : t & b r \- v = v' : t 
rht=t:r8iE f = t:T &s r h t = t" : t &l s ri-v = v':r&0 

E 

r h (vi,i'2).! = 1', : T, r h (rec/x = = (rec/ x = f') : i"i — > r2 r h i' = (v.l,v.2) : ti x T2 

r h 1' : Ti & £ r,x : Ti b t : Ti Sl E T, / : ri A T2, x:ti h f : r2 & £ T h v : ti 

r h let x«=v in t = t[v/x] : T2 & e T h (rec f x = t)v = t[v/x, (rec / x = t)/f] : T2 & s 
r \- t\ : r\ &L E r \- ti : T2 & E 7", x : T2,y : Tj 1- : T3 & £ 
r h let x<^(let v<^/i in ti) in /j = let >''S=/i in let jc<=/2 in /s : T3 & £ 

Fig. 3: Basic equational theory (extract) 

where t\\t2 - let _ fi in fa is sequential composition and eq is an integer equality 

000 

constant. We can justify the typing memo : (int int) — > {int inf), saying that if / is 
observationally pure, memo f, is too, and so can participate in any program equivalence 
relying on purity. This was not justified by our previous model [4 |. 
Set factory The next, more complicated, example is a program that can create and 
manipulate sets implemented as linked lists. 

If I € L and h € H and f/ is a finite set of integers and Pisa finite subset of L define 
5 (I, h, t/, P) to mean that in h location I points to a linked list of integer values occupying 
at most the locations in P (the "footprint") and so that the set of these integer values is U. 
So, for example, if h(l) - loc(\i) and h(li) = (int(l), locih)) and h(l2) = (int(l), intiO)) 
then 5(1, h,{l},{li,l2}) holds. 

For each location I define functions memi, add\, rem\ so that mem\(int(i)) checks 
whether / occurs in the list pointed to by I, returning int(l) iff yes, and — for the fun of 
it — ^removes all duplicates in that list and relocates some of its nodes. Thus, in particular, 
if memi(int(i))(h) - (hi, v) then if 5(1, h, U, P) one has 5(1, hi, U, P') for some P' where 
P' CPU (dom(hi) \ dom(h)) and v = int(l) iff / e U. 

The function add\ adds its integer argument to the set, and rem\ removes it, each 
possibly making "optimizations" similar to mem\. 

Now consider a function setfactory returning upon each call a fresh location I and 
a the tuple of functions {mem\, add\, rem\). We will be able to justify the following se- 
mantic typing for setfactory: 

rdf wvt vi'/'r 

setfactory : 'ix.iint — > int) X {int — > unit) X {int — > unit) & al^ 
which expresses that setfactory{) allocates in some (possibly fresh) region r and returns 
operations that only read r (the first one) or write in r (the second and third one) even 
though, physically, all three functions read, write, and allocate. 

Thus, these functions can participate in corresponding effect-dependent program 
equivalences, in particular, two successive mem operations may be swapped and dupli- 
cated; identical updates may even be contracted. 

Interleaved Dummy allocation Consider the following example, which looks similar 
to the Dummy example above, but where the dummy allocation happens after a proper 
allocation: 

ei - let p<^ref{0) in let ii<;=ref(0) ine; \p and e2 - let /?<^ref(0) ine; \p. 
Here d is not free in e, but p may be free. This simple difference leads to many problems 
when attempting to prove their equivalence. We sketch them below to also motivate our 
technical solution introduced formally in the following Sections. 
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As normally done the evolution of the heaps can be formally captured by using 
Kripke models, where, intuitively, a world contains the set of locations allocated by 
programs. Whenever there is an allocation, we advance from the current world w to a 
world W], which contains some fresh locations. However, we do not have control over 
this evolution. In our example, assume that the programs above start at the same world 
w. The allocation of the proper location, p, in ei and in 62 will yield two different 
extensions w — > Wi and w — > Wj, where some concrete locations, li and I2, are allocated 
respectively. In fact, Wi and w'j may even contain other locations that are not used by 
the computations. For proving the equivalence between these programs, we need a way 
to capture that li and I2 are equivalent, without requiring to identify the other locations 
not used by computations. 

Our solution is to use pullback squares as proofs. Their ^ 
shape is depicted in Figure|4] where w and w are called, respec- ^ X^' 

lively, the low point and apex of the square. It helps to interpret Wi Wj 
w as a superset of Wi U w'j , that is, a world containing all the ^ 
locations mentioned in Wi and Wj, even the locations not used w 
by computations, while w = Wj n W2 (modulo renaming of lo- 
cation names) is a world containing only the locations that need pjg 4. puHback square 
to be identified. Intuitively, the low point is the part of the proof 

showing that resulting heaps of computations are equivalent. This is formalized by Def- 
inition[T3] In the example above, the low point is a world where li and I2 are shown to 
be equivalent. The remaining locations in Wi and w'j that are not used by computations 
may be ignored, that is, not be contained in w. The apex, w, on the other hand, is the 
part of the proof showing that the corresponding values resulting from computations, 
\p in the example above, are indeed equivalent (see again Definition [TsTl. 



3 Setoids 



We define the category of setoids as the exact completion of the category of predomains, 
see II10I8II . We give here an elementary description using the language of dependent 
types. A setoid A consists of a predomain \A\ and for any two x,y e \A\ a set A{x,y) of 
"proofs" (that jc and y are equal). The set of triples {ix,y,p) \ p e A(x,y))mustitself bea 
predomain and the first and second projections must be continuous. Furthermore, there 
are continuous functions rA '■ IIx € |A|.A(ji:, x) and sa '■ nx,y e \A\.A(x,y) —> A(y, x) and 
tA '■ nx,y,z.A(x,y) x A(y,z) — > A{x,z). li p & A{x,y) we may write p : x ~ y or simply 
X ~ y. We also omit | - | wherever appropriate. We remark that "setoids" also appear in 
constructive mathematics and formal proof, see e.g., but the proof-relevant nature 
of equality proofs is not exploited there and everything is based on sets (types) rather 
than predomains. A morphism from setoid A to setoid B is an equivalence class of pairs 
/ - (/o>/i) of continuous functions where /o : \A\ —> \B\ and /i : 77x,y e |A|.A(x,3') 
B{foix),fo(y)). Two such pairs f,g:A —> B are identified if there exists a continuous 
function p : Ua e \A\.B(f(a), g(a)). 



Proposition 1. The category of setoids is cartesian closed; moreover, if D is a setoid 
such that \D\ has a least element ± and there is also a least proof 1. € D(±, X) then there 
is a morphism of setoids F ; [D — » D] — > D satisfying the usual fixpoint equations. 
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3.1 Fullback squares A morphism m in a category W is a monomorphism if ux = ux" 
implies x = x' for all morphisms x,x'. A commuting square xu = x'u' of morphisms 
is a puUback if whenever xv = x'v' there is unique t such that v = ut and v' = u't. We 
write l<>^, or wjO;^!w' (when w^'> = dom(x^'')) for such a puUback square. We call the 
common codomain of x and x' the apex of the pullback written w, while the common 
domain of u, u' the low point of the square written w. A pullback square xu = x'u' 
is minimal if whenever fx - gx and fx' - gx' then / = ^, in other words, x and 
x' are jointly epic. A pair of morphisms u, u' with common domain is a span, a pair of 
morphisms x, x' with common codomain is a co-span. A category has pullbacks if every 
co-span can be completed to a pullback square. 

Definition 1 (Category of worlds). A category W is a category of worlds if it has pull- 
backs and every span can be completed to a minimal pullback square and all morphisms 

are monomorphisms. 

Example 3.1 The category of sets and injections is a category of worlds. Given / : 

/-' g-' 

X — > Z and g : Y ^ Z, we form their pullback as X < — fX n gY — > Y. This is 

/ g 

minimal when fX (J gY - Z. Conversely, given a span 7 <— X — > Z, we can complete 
to a minimal pullback by 

(F\/X)W/X LJ^[Y\fX) + {Z\gX)+Xi —{Z\gX)^gX 

where [-, -] is case analysis on the disjoint union Y - {Y\ fX) i±i fX. 

Given an arbitrary category C, the category of worlds Wc has objects pairs {X, f) 
where X is a set and / : X — > |C| is an X-indexed family of C-objects. A morphism 
from (X,f) to (Y,g) is an injective function m : X — > F and a family of isomorphisms 
Vx '■ fix) ^ g{u{x)). The first components of the pullbacks and minimal pullbacks are 
constructed as in the previous example. □ 

We write r(w) for wjojw and s{:lOl[,) = ^^O^ and t{l<>^^, ,\,<>\,,) = jy^v'V where 
z, t! ,t, t' are chosen so that all four participating squares are pullbacks. 

3.2 Setoid-valued functors A functor A from a category of worlds W to the category 

of setoids comprises as usual for each w £ W a setoid Aw and for each m : w — > w' a 
morphism of setoids Au : Aw — » Aw' preserving identities and composition. If w : w — > 
w' and a e Aw we may write u.a or even ua for Auia) and Ukewise for proofs in Aw. 
Note that {uv).a = u.{v.a). 

Definition 2. We call a functor pullback-preserving (p.p.f ) if for every pullback square 
w^O^^w' with apex w and low point w the diagram Aw^^O^^^Aw' is a pullback in Std. 
This means that there is a continuous function of type 

Ua € Aw.na' e Aw'.Aw(x.a, x'.a') Sa& Aw.Aw(M.a, a) x Aw'(M'.a, a') 

Thus, if two values a e Aw and a' e Aw' are equal in a common world w then this can 

only be the case because there is a value in the "intersection world" w from which both 
a, a' arise. Intuitively, p.p.f.s will become the denotations of value types. 

3.3 Fibred setoids In order to provide meanings for computation types we need a 

weaker variant of p.p.f., nwaely, fibred setoids. These lack the facility of transporting 
values along world morphisms but instead allow the proof-re levant comparison of val- 
ues at different worlds provided the latter are related by a puUback square. 
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Definition 3. A fibred setoid over a category of worlds W is given by a predomain 

Tvj for every W 6 W and for every puUback square wOw' and elements a € Tw and 
a' G Jw' a set TO{a,a') so that the set of tuples {a,a',q) with q G TO{a,a') is a 
predomain with continuous projections. 

Next, we need continuous operations r, s, t so that r(a) E Tr(vj)(a, a) when a € Tw 
and s(q) G Ts(0)(a',a) when q G T<>{a,a') andt{q,q') G Tt{<>,0'){a,a") when q G 
TO{a, a') and q' g TO' {a', a"). 

In addition, for any two isomorphic pullback squares O and O' between W and w' 
there is a continuous operation of type Fla G Tw.IIa' G rvv'T^Oo') ~^ T^O'^a'). 

Finally, for each pullback square <> - w^O^iw' with apex w and low point w there 

is a continuous function of type 

nt G rw.m' g rw'.ro(f, ?') -^Et_€ Tw.T"^ol(t_, t) x T"[ol,{t_, f) 

Note the similarity of the last operation to pullback-preservation. 

Example 3.2 If A is a p.p.f., we obtain a fibred setoid S (A) as follows: S (A)w = Aw 

and if w^O^w' with apex w, define the proof set S {A)l<>^^,{a, a') = A\N{x.a, x'.a'). □ 

Definition 4. A morphism f from fibred setoid T to fibred setoid T is an equivalence 
class of pairs of continuous functions fc : n\N.T\N — > T'wandfi : n\N,w' .IIwOw' .Ila G 
Tw.na' G Tw'.TO(a,a') r'0(/o(w,a),/o(w',a')). 

Two such pairs f, f are identified if there exists a continuous function that assigns 
to each w and a^Twa proof n{a) g Tr{w)(fo{w, a), /q(w, a)). 

3.4 Contravariant functors and relations The role of the next concept is to give 

meaning to abstract stores. 

Definition 5. A contravariant functor <Z from a category of worlds W to the category 
of setoids comprises for each vi € W a nonempty setoid Sw and for each morphism 
u : \N() ^ \N a setoid morphism Sm : Sw — > Swq such that u\-^ &u preserves identities 

and composition. 

If cr G Sw and m : Wq ^ w we write o-.u or cfm for SM(cr). Note that cr.(Mv) = (cr.M).v. 
Intuitively, cr.u can be interpreted as the abstract heap obtained by forgetting locations 
in cr that have been "allocated" by the world evolution specified by u, namely, those 
appearing in w and not in Wq. 

Definition 6. A contravariant functor Q preserves minimal puUbacks if whenever w^O^i w' 
with apex w and low point w is a minimal pullback square then the diagram Sw^"o|;J, Sw' 
is a pullback in Std. 

This means in particular that if cr g Sw, cr' e Sw' and cr.u ~ cr' .u' then there exists a 
"pasting" a G Sw such that cr.x ~ cr and a.x' ~ cr' and a is unique up to ~. Moreover 
the passage from the given data to a and the witnessing proofs is continuous. 

Definition 7. A relation R on such a contravariant functor S consists of an admissible 
subset R\N c Swx Sw such that (cr, cr') 6 R\N and m : Wq ^ w implies (cr.u, a'.u) G Rwq 

and if p : cr ~ a-\ and p' : cr' ~ cr'j then (cri,cr'j) 6 Rw, as well. 

It would be natural to let relations be proof-relevant as well, but we refrain from 
doing so at this stage for the sake of simpUcity. 
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4 Computational model 

We use a setoid interpretation in order to justify nontrivial type-dependent observa- 
tional equivalences for the language above. This interpretation is parametric over an 
instantiation, defined below. 

Definition 8. An instantiation comprises the following data. 

• a category of worlds W; 

• a full- on- objects subcategory I of inclusions ( in other words, a subset of the mor- 
phisms closed under composition and comprising the identities) with the property that 
every morphism u can be factored as u — fi and u — jg with f, g isomorphisms and i, j 
inclusions; 

• a contravariant, minimal-pullback-preserving, functor S from W to the category of 
setoids; 

• for each W e W a relation Ih^c H X Sw subject to the axiom that h Ihw cr and 
u e I(Wo, w) implies h ii-w„ cr.u; 

• aset of elementary effects S and for each effect saset 'R{s) of relations on S. Ai usual, 
one defines effects as sets of elementary effects and extends "R to all effects by '7?(0) = 
"all relations on (B ( in the sense described in Section \3~4]l " and fiis) — Plsoee ^(^o)- 

We give two examples of instantiations. The appendix contains a third example, 
mirroring our previous model . 

4.1 Sets of locations In the first one, called sets of locations, worlds are finite sets 
of (allocated) locations (taken from L) and their morphisms are injective functions with 
inclusions being actual inclusions. Abstract stores are given by Sw = {h | dom(h) 2 w} 
with Sw(h, h') = always, and Qu given by renaming locations. 

We put h Ihw h' whenever h - h'. We only have one elementary effect here, al, 
representing the allocation of one or more fresh names. Note that if 7? is a relation on S 
then Rw is either total or empty and if m : w -> w' then Rw' ^ & ^ Rw ^ A relation 
R is in Rial) if for every inclusion m : w -> w' one also has Rw + % ^ Rw' + 0, thus R 
is oblivious to world extensions. 

4.2 Abstract locations To formulate the second instantiation, called Heap PERs, we 
need the concept of an abstract location which generalises physical locations in that 
it models a portion of the store that can be read from and updated. Such portion may 
comprise a fixed set of physical locations or a varying such set (as in the case of a linked 
Ust with some given root). It may also reside in just a part of a physical location, e.g., 
comprise the two low order bits of an integer value stored in a physical location. Fur- 
thermore, the equality on such abstract location may be coarser than physical equality, 
e.g., two linked lists might be considered equal when they hold the same set of elements, 
and there may be an invariant, e.g. the linked list should contain integer entries and be 
neither circular nor aliased with other parts of the heap. This then prompts us to model 
an abstract location as a partial equivalence relation (PER) on heaps together with two 
more components that describe how modifications of the abstract location interact with 
the heap as a whole. Thus, next to a PER, an abstract location also contains a bunch of 
(continuous) functions that model writing to the abstract location. These functions are 
closed under composition (thus form a category) and are idempotent in the sense of the 
PER modelling equality. 
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Thirdly, a "footprint" which is a heap-dependent set of physical locations which 
overapproximates the effect of "the guarantee" so as to enable the creation of fresh 
abstract locations not knowing the precise nature of the other abstract locations that are 
already there. (These footprints are very similar to accessibility maps, first introduced 
for reasoning in a model of state based on FM-domains JT].) 

Definition 9. An abstract location I (on the chosen predomain M.) consists of the follow- 
ing data: 

- a nonempty, admissible partial equivalence relation (PER) I* on HI modelling the 
"semantic equality" on the bits of the store that I uses (a "rely-condition"); 

- a set of continuous functions on H closed by composition, modelling the functions 
that "write only on I" leaving other locations alone (a "guarantee condition"}; 

- a continuous function \^ : IJh € BI.'P(dom(h)) describing the "footprint" of the 
abstract location ( where the ordering on the powerset dom(h) is of course discrete). 

subject to the conditions 

- ifL G l"^ and (h, h') e I* then (t(h), i(h')), (((h), i(i(h))), (i(h'), t(i(h'))) e 

- i/VI E I^(h).hi(l) = h(l) W VI e f(W).h[(\) = h'(l) then (h,h') e I* implies 
(h I , h'j ) E I*; thus I* "looks " no further than the footprint; 

- if I e 1^ and i(h) - hi then dom(h) c dom(hi) and I E dom(h) \ I^(h) implies 
I i f (hi) and h(\) = hi(l). 

Two abstract locations Ii, I2 are independent if 

- fori = l,2andL(h) = hifori e \f one has (h,h) e if , (h, h') E if (hi,h') E if ^ 
and I E dom(h) \ lf_,.(h) then I i lf_,.(hi); 

- ^(hi, hi) E if and (hi, hi) E if there exists h such that (h, hi) E if and (h, hi) E if. 
(Amounting to h/(lf fi if) being a cartesian product o/h/lf and h/lf .j 

7^11,12 are independent, we form a joint location \\ ® I2 by (Ii ® I2)* — if n if and 
(Ii ® 12)^ = (I^ U I^)* and (Ii ® l2)^(h) = I[(h) U If (h). 

If I E L is a concrete location, we can define an abstract counterpart by putting 
1^ = {(h, h') I h(l) = h'(l)) and 1"^ is the set with a write function for each value that may 
be stored in I. For instance, if I stores booleans, then 1*^ contains the functions write^rne 
and wr/fe false, where wnfetrue(h) = h' such that h'(l) = true and for all other locations 
I' + I, h'(l') = h(l'). When li I2 then the induced abstract locations are independent. 

The next example illustrates that abstract locations may be independent although 
their footprints share some concrete locations. Fix a concrete location I and define two 
abstract locations Ii and I2 both with footprint consisting of the location I. Moreover, 
(h, h') belong, respectively, to the rely of location I,- (/ - 1, 2) if h(l) and h'(l) are both 
integers whose /-th significant bit agrees. The "guarantee" \f might then contain func- 
tions that set the /-th bit to some fixed value and leave the other bits alone. It is easy to 
see that Ii , I2 are independent. 

Thirdly, let Ii,l2 be two distinct concrete locations and for heap h and finite in- 
teger sets U\, 1/2 define P(h, Ui, U2) to mean that in h the locations li, I2 point to non- 
overlapping integer lists with sets of elements Ui and t/2. Now define abstract location I, 
by If = {(h,h') I 3f/i,t/2.P(h,t/i,t/2)AP(h', J/i,f/2))and if (h) = "locations reachable 
from I," if I points to a well-formed list of integers in h and otherwise. The guarantee 
component if contains all the (idempotent) functions l that leave the locations not in 
the footprint of I,- alone. That ((h) = h', such that h'(l') = h(l') for all I' E dom(h) \ if. 
Again, li and I2 are independent. 
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The role of the footprints is to provide a minimum amount of interaction with 
physical allocation. If I is an abstract location and ho the current heap so that (ho, ho) e 
then we may, e.g., allocate (hi, I) = new(ho, int(Q)), and define an abstract location Ii by 

l« = {(h, h') I h(l) = h'(l) € int(Z) A I t f{h) A I i f(h')] 

If = U U(h) = hi ^ VI' ^ l.h(l') = hi(l')) 

If(h) = {l} 

We now know that I and Ii are independent and, furthermore, (hi, hi) e (Iigli)''. 

Definition 10. Abstract locations Ii , . . . , I„ are mutually independent if they are pair- 
wise independent and whenever (h/, h,) e I,- for i — I . . .n then there is h such that 
(hi, h) e lifor i — I . . .n. 

Lemma 1. Abstract locations Ii , . . . , I„+i are mutually independent iff\\ ,...,!„ are mu- 
tually independent and l„+i is independent of\\ (g) ■ • ■ (g) I„. 

4.3 Heap PERs We are now ready to formulate the second instantiation Heap PERs. 
We assume an infinite set of regions Regs. A world w comprises a finite set of mutually 
independent abstract locations (written w) and as in the case of flat stores a tagging 
of locations with regions from Regs location. We write I e w(r) to mean that I € w is 
tagged with r. We define Sw = {h e H | VI € w.(h, h) e I*j and Sw(o-, a-') - {★) <=^ 
VI e w.(cr, cr') € I^ and Sw(cr, cr') - otherwise. Again, h ih^ cr iff h = cr. 

A morphism from w to w' is given by an injective function mo : w — > w' and a pair of 
partial continuous functions mi, M2 : H ^ H. Intuitively, the function mi is used to map 
the heaps in the PERs of locations in w to w' according to the renaming of locations 
specified in mq, while U2 does the same but from w' to w. Formally, Vcr, cr' e Sw.VI e 

W.(cr,cr') € I* ^ (Mi(cr),Mi(cr')) £ Mo(I)^ A (M2(Mi (o")), cr) 6 I* and Vcr, cr' € Sw'.VI € 

w.(cr, cr') e Mo(I)* (m2(o"), "2(0"')) e I* A(mi(m2(o")), cr) e Mo(I)*. The same is valid for 
guarantees of locations, by replacing by Now, SM(cr) = u2{o-). Such a morphism 
u is an inclusion if uq is an inclusion and mi , M2 are the identity function. 

The elementary effects track reading, writing, and allocating at the level of regions: 
wrf (writing within region r), rdr (reading from within region r), air (allocating within 
region r). The sets of relations on S modelling elementary effects are then given by 
ReHirdr) <^ (cr, cr') € ^ VI e w(r).(cr,cr') e I* 
ReHiwr,) <^ (cr, cr') e TJw ^ VI e w(r).Vt e I^.(t(h), i(h')) € TJw 
ReJiialr) <;=> (cr, cr') € /?w ^ Vwi.Vm e I(w, Wi).(wi \ w c wi(r)) Vcri,cr'j e Swi. 

(o-i.U ~ cr Ao-\.U ~ 0-' A (cri,cr'j) G HlewAwl*) (o"l,0-'i) ^ ^Wi 

Thus, a relation R e 'R{rdj) ensures that locations being read contain "equal" (in the 
sense of I*) values; a relation R e !R(wrr) is oblivious to writes to any abstract location 
in r, and a relation R e 'RiaU) is oblivious to extensions of the current world provided 
that it only adds abstract locations in region r, that the initial contents of these newly 
allocated locations are "equal" in the sense of (-)* and that nothing else is changed. 

5 Proof-relevant Logical Relations 

Given an instantiation, e.g. one of the above examples, we interpret types (and typing 
contexts) as p.p.f. over W and types with effect as a fibred setoid over 5(W). A term 
in context F \- e : t & s will be interpreted as a morphism [e] from 5(|[rj) to T^^tJ 
where takes p.p.f. and effects to fibred setoids and is given below in Definition [T3l 
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Derivations of equations will be interpreted as equality proofs between the correspond- 
ing morphisms and can be used to deduce observational equivalences (Theorem[3]l. 

This, however, requires a loose relationship of the setoid interpretation with the 
actual meanings of raw terms which is given by realization relations ih'^. Their precise 
format and role are described in the following two definitions. 

Definition 11. A semantic type is a pair (A, where A is a p.p.f. (on Wj and ih^ is an 

admissible subset ofY x Aw for each w € W such that for every inclusion u : VJ ^ vj' 
one has that v Ihj^ V implies v Ih^, m.v. A semantic computation is a pair (T, ih^) where 
T is a fibred setoid over W and Ih^ is an admissible subset o/C X Tw for each W. 

Definition 12. Let (F, ih^) and (A, ih'*) be semantic types and let (T, Ih^) be a semantic 
computation. If e : S{r) T is a morphism of fibred setoids and f : V — > C then we 
write f \V-^^^ e to mean that for some representative (fo, f\) of f one has that whenever 
Tj Ih^ y then f){rj) Ih^ e{'y) holds for all worlds W. 

The following definition, corresponding to that in Fig. [T] is where the machinery 
introduced above pays off. In particular, it defines the semantics of computations, where 
proofs, i.e., pullback squares, are constructed. 

Definition 13. Let A be a semantic type and e an effect. A semantic computation T^A 
is defined as follows: 

• ( Objects) Elements of (TeA)vj are pairs (Co, Ci) of partial continuous functions where 

Co : Sw iTwi.^w, Wi) x Swi x Awi 
and Ci is as follows. If R € 'R{e) and (cr, cr') e Rw then Ci(R, cr, cr') either is undefined 
and Co(cr) and Co(cr') are both undefined or else Ci(R, cr, cr') is defined and then Co(cr) 
and Cq((t') are both defined, say Co(cr) — {\N\,u,cr\,a) and Co((t') — (Wj, m', cr'j, a'). 
In this case, C\{R,cr,cr') returns a pair (lO'l,,p) where Wi-|^0"*,Wj such that xu — x'u'. 
Furthermore, p € Aw(x.a, x'.a') and, finally, (cri.u, cr'^.u') e Rw where w and VJ are low 
point and apex of ^O'l, . 

• (Proofs) As usual, proofs only look at the (-)o components. Fhus, if (Co, -) e FeAvj 
and (Cq, _) e F^AW and lO^,, is in 5'(W)(w, w') with apex and low point w, w then a 
proof in (FeA)^^0'l,(c,c') is a partial continuous function /j which given cr e Sw and 
cr' e Sw' and p : a.v ~ cr' .v' either is undefined and then Co(cr) and c[^(cr') are both 
undefined or else is defined and then Co(o") and CQ(cr') are both defined with results, 
say, Co(cr) — (W\,u,cr\,\i) and 0^(0-') - (Wj, m', cr'j, v'). In this case, fi(p) returns a 

tuple (^'o',' , q) satisfying xiuv — x'.u'v' and q e AWi(xi.V, x'. .v') with Wi = cod(xi) and 
(Ti.vi ~ cTi.v'j in Swi. 

• (Realization) If c 6 C, we define c h^'^ (Co, Ci) to mean that whenever h Ihw cr then 
c(h) is defined ijfcoicr) is defined and if c(h) — (hi, v) and Co(cr) = (Wi, u, crj, v) then 
hi Ihw, cTi and v ih^^ V. 

Proving that a semantic computation FgA as in Definition [T3] is a fibred setoid is non- 
trivial. The tricky case is the existence of a transitivity operation. It is here that we need 
the independence of abstract locations as stated in Definition|9] which implies that S is 
also minimal-pullback-preserving. Details, along with the construction of the cartesian 
product (A X B, ih'*^^) and function space (A=>r, IH^^"'^), given semantic types (A, Ih'*) 
and (B, ih*) and computation (F, ih^), may be found in the appendix. 
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5.1 Fundamental theorem Given a semantic type [A] for each basic type A we can 

interpret any type r as a semantic type [[r] by putting [ti T2J = lTi]l=>r£[[T2l. A 
typing context F = xi:ti, . . . , x„:t„ is interpreted as the semantic type = (1 X 
ItiJ) X . . . ) X I^nl where 1 is the constant functor returning the discrete setoid {()}. 

To every typing derivation T h f : t & e we then associate a morphism [[/" h f : t & ej : 
S(irj) TelrJ such that [f] n-^^^^^.r ir h t : t & sj. (Note: this is point where 
the untyped semantics is related with the abstract one.) For every equality derivation 
r \- t - t' : T & s we have h f : t & ej - [/" h f' : t & ej, where the two typing 
derivations F k t : t & s and F \- t' : t & e are the canonical ones associated with 
the equality derivation T h f = f' : t & e. In essence, one has to provide a semantic 
counterpart for every syntactic concept, e.g. let, fix, etc. Details are in the appendix. 

5.2 Observational equivalence Let Int stand for the constant functor that returns the 
discrete setoid on the set Z of integers. We define v ihjj" / <=> v - int(i). We also 
assume that there is some initial store and abstract store ho, ctq and a world Wq such that 
h() ihwo ctq. For instance, Wq can be the empty world with no locations and accordingly 
ho the initial store at startup. 

Definition 14. Let (A, \\-^) be a semantic type. We define an observation of type A as a 
morphism o : A ^ T'eint for some e and a function f so that f o. 

Two values v, v' are observationally equivalent at type A if for all observations f, o 
of type A one has that /(v')(ho) is defined iff f(v')(hi)) is defined and when /(v)(ho) = 
(hi, vi) and fiv'Xho) - (h'j, v'j) then vi - v[. 

£ 

Taking o = [h / : r — > intj immediately yields the following: 

Proposition 2. // v, v' are observationally equivalent at type [tJ and f is a term such 
that \- f : T ^ int then |[/K>^')(ho) is defined iff I/]](v')(ho) is defined and when 
I/l(v)(ho) = (hi, vi) and I/l(v')(ho) = (h',, v';) then vi = v[. 

Theorem 3 (Observational equivalence). If (A, \\-^) is a semantic type and v 11-^^ e 
and v' Ih^^ e' with e ~ e' in then v and v' are observationally equivalent at type A. 

Proof We have /(v) ih^f"' o(e) and /(v') ih^f"' o(e') and also 11 : o(e) o(e') in 
Jglnt for some /i as in Definition[T3] 

The application to tro, ctq, r(crQ) either is undefined in which case o(e)(cro) and 
o(e')(o"o) and /(v)(ho) and /(v')(ho) are all undefined, the latter by the definition of 
l^r.int Otherwise, we get /(v)(ho) = (hi, vi) and /(v')(ho) = (hp Vj) and o(e)(cro) = 
(cTi, i'l) and o(e')(o"o) = (o"j, Z'j) where, by definition of realization in T^lnt and Int, we 

have vi - int(ii) and V2 - int(i2). Now, yu(cro, cro, r(cro)) returns a pullback ("*'<>'',', q') 

I'l I'l 

such that, in particular, xi.ii ~ X2./2, whence ii - ii since Int is constant and then 
vi - V2 as required. □ 

6 Applications 

In what follows we use our semantics to establish a number of effect-dependent se- 
mantic equalities, hence program equivalences in the sense of observational equiva- 
lences. We also give some semantically justified typings of concretely given functions, 
in particular "set factory" described in Section ETI More examples are discussed in the 
appendix. 
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6.1 Sets of locations We work in the instantiation "sets of locations". Recall the 
example, "dummy allocation" from Section 12.11 Suppose that / 11-'^'^^='^ e. Now, put 
dummyieXwXy e |[r]w)(h e Sw) = e(w)(7)(h'), where h' is the heap obtained by 
adding a dummy location to h. We have dummyif) ih^'"^"'^ dummy(e) since it- is oblivious 
to extensions of the store. Therefore, reflexivity also furnishes a proof of equality. It also 
means that, semantically, dummyif) does not need to flag the allocation effect al since 
no semantically visible world extension takes place. 

For the Interleaved Dummy Allocation example, on the other hand, there is an extra 
step caused by the proper allocation, which yields a world extension w ^ Wi and 
w — » Wj . In order to show the equivalence, we construct a proof, i.e. , a pull-back square 
WiOWj, where the allocated concrete locations are identified in its low point. Then 
the reasoning is the same as above used for showing the semantic equivalence of the 
Dummy example. 

This is different in the following example. Define a semantic type of names by 
letting A^w be the discrete setoid on the set w and Nu(\) = u(\) and v ih^ I <=> v = 
loc(\). Moreover, / - |[re£(0)I,§ = [let x<=ref(0) in let y <=ref(0) in (jc,y)]], 
and h - [let x<^re£(0) in let 3"J=re£(0) in (y, jc)]]. We now define semantic coun- 
terparts f : 5(1) ^ TaiN, g, h : 5(1) ^ TaiN, where 

fow(o-) = (Wi,/i,cri,li), goW(cr) = (W2, /2/1 , cTa, (1 1, b)), and hoW(cr) = (W2, /2/1, 0-2, (b, li)) 
Here and in what follows it is assumed that newicr) - (li,cri) and new{(Ti) = (l2,cr2) 
and Wi = w U (li) and W2 = Wi U {I2). Recall that Sw c H. Finally, u : w -> Wi and 
i2 : Wi ^ W2 stand for the obvious inclusions. We use analogous definitions for the 
primed variants. 

In order to define fo.5 we start with m : w — > w' and cr e Sw, cr' e Sw', R e Tiial) 
such that (cr, u.cr') e Rw. Define m' : Wi — > w'j so that u'ii - i\u, that is u'{\ e w) = m(I), 
u'{\\) - I'j. We now return the pullback square Wi"|o|^,Wj with apex Wj and low point 
Wi and the trivial proof that u' .\\ - I'j. This settles the definition of fo5, since Rwi is 
total since R e 'Rial). Notice though, that we cannot avoid the allocation effect here. 

The functions ^0.5 and /10.5 are defined analogously. 

We now construct a proof that g ~ h, recall that only g,, and ho are needed for 
this. Given w, cr and the notation from above this proof amounts to a pullback square 
W2"JO,!,W2 such that xizix - x'i^i'^u and x.(li,l2) = x'.(l2, li) and <j2.v ~ o-\.V . Note 
that, accidentally, the final abstract stores of both computations are the same, namely, 
cr2. Now let / be the bijection that swaps li, I2 and fixes everything else. We then put 
■JO'J,' |o{. Now, obviously (1 1, 12) = /.(I2, li) and — equality of abstract stores is trivial 
by definition. 

6.2 Heap PERs In this section we generalize our earlier collection of effect-dependent 
program equivalences lIU to the abstract locations of the Heap PERs instantiation. We 
first show how the set factory indeed has the announced effect typings and thus can 
participate in effect-dependent equivalences. 

Set factory Let w be a world and cr € Sw. Suppose that cri arises from cr by allocating 
a fresh set data structure, e.g., a linked list, with entry point(s) E. Let Ii be the abstract 
location describing this fresh data structure, i.e., (h, h') e <=> the data structures 
starting from E in h, h' are well-formed, denote the same set, and do not overlap with 
the footprints of all the abstract locations in w. The footprint comprises the locations 
that make up this data structure assuming that (h, h) e I*, otherwise any value can be 
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chosen. Finally, I*-' contains idempotent functions, l, such that i(h) - hi and hi agree on 
all concrete locations from dom(h) 2 l'^(h) and, moreover, dom(hi) 2 dom(h). 

Now for any chosen region r we add Ii to r to yield a new world Wi. The function 
setfactoryQWcr then returns Wi and a tuple of semantic functions for reading, member- 
ship, removal of which we only sketch reading here: If m : Wi —> W2 and cri e Swi 
and i € Z then the reading function looks up / in the data structure starting at the entry 
points £ in (Ti . (Note that cri e Sw asserts that this data structure exists and is well- 
formed.) The returned (abstract) store 0-2 might not be the same as cr because internal 
reorganizations, e.g., removal of duplicates, might have occurred. However, no world 
extension is needed and cri ~ 0-2 holds. This together with the fact that the outcome 
only depends on the I* equivalence class justifies a read-only typing for reading. 
Memoization For the simple memo functional from Section ITT] we produce just as in 
the previous example a fresh abstract location I that contains the two newly allocated 
concrete locations, say \x, Iv, and on which we impose the invariant (h, h') e I* <;=^ 
hdi), h'(lv) contain the same integer value, say / and that h(Ij), h'(Iv) both contain the 
integer value /(/) where / is the pure function to be memoised. 
Effect-dependent equivalences Consider the following notation 
o- ~rds(£,w) cr' <^ VI e w(rds(e)).(cr, cr') e I* 

cr ~nwrs(EM) 0-' <^ VI G Mnwrs{s)) .{(T, ct') e I* 
which specify that the abstract heaps cr and cr' are equivalent on all the abstract locations 
I in regions associated, respectively, to read effects and no-writes in e. 

Lemma 2. Let F \- e : t & s. For any world w e W, and context y e [-TIw, 
whenever crQ,(r'Q e Sw such that ctq ~rds(e,w) cr^, then c(cro) and 0(0"^) where c = 
[r h e : T & e]|w(7) are equally defined and if c(cro) = (Wi,m, cri,v) and c(crg) - 
(Wj,M',crj,v') then there exist (continuously!) a pullback Wi^<>J,Wj with apex w and 
low pointwand a proof of x.V ~ x'.v' such that xu — x'u' and the following is satisfied: 
L for all I € W, we have either: {cro^crx.u) € I* and (cr'^yCTyu') e I* (remain equiva- 
lent) or {a-\.u,cryu') e I* (equally modified); 

2. ifl& w(nwrs(s)), then (o-q, (t\ m) € and (cr^, cr'j .u') e I*. 

3. There exists a morphism c' e — > TelT]!, such that c' ~ C and if c' (vj)(y)cro = 
(w*, M*, cr*, V*), then for all regions r i als(s), w*(r) = w(r). 

We can validate all the effect-dependent program equivalences "dead, commuting, du- 
plicated computation" and "pure lambda hoist", as well as the "masking rule" from 
previous work @ in our new, more powerful, setting. To give an impression of the 
formulation of these validations we state the corresponding proposition for "dead com- 
putation" which is particularly interesting in that it contains a termination precondition. 
The proof, and details of the other equations are in the appendix, which also contains a 
validation of loop unrolling optimisation described by Tristan and Leroy lISTj . 

Proposition 3 (dead computation). Suppose that The: unit & e, that wrs(e) = 
and that [r h e : unit & e]w(y)(cr) is defined for all \N,y e |[r]w, cr e Sw. Then if 
for all worlds W, all contexts y e |[/"]]w, and abstract heaps cr e Sw, the function 
IF H el(w)(y)(cr) is defined, then IF h e : unit & e] ~ [r h () : unit & ej. 

6.3 State Dependent Abstract Data Types (ADT) We prove the equivalence of a 
number of programs involving state dependent abstract data types. 
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Awkward Example The first example is Pitts and Stark's classic awkward example! 
Consider the following two programs: 

ei = let ji:<=ref(0) inAf.x l;/(); \x and 62 = 1. 
Intuitively, the expressions ei and 62 are equivalent as they both return the value 1, 
although e\ uses a fresh location to do so. We can formally prove the equivalence of 
these functions as follows: Assign the region where x is allocated as r. If / has the type 

unit — > unit with effects e, then e\ has type (unit unit) — » int & e,alx, 

£ £ 

while 62 has type (unit unit) — > int & e. Notice that e may contain rd, or wr, or 
both. Moreover, assume that the footprint of a location in region r consists of a single 
concrete location I, and that the guarantee of a location F consist of a single function 
write I such that write i{h) = h' where h'(l) = 1 and h'(r) = h(r) for all other locations. 
Clearly ei has such a write effect. 

For proving the equivalence of ei and e2, assume a world w and an abstract heap cr. 
Let |[ei]]wcr = (w W Wi W w^, mi, Vi, cri) and [eajwcr - (w t) Wi, mi, V2, 0-2). We need 
to construct a pullback square w 1+) Wi W w^Ow W Wi such that the values Vi and V2 are 
equal in its apex and cri and 0-2 are equal in its low point. Since wrr is in the effects of 
ei, we have that Vi = 1. We also have V2 = 1 trivially. Hence Vi and V2 are equal in the 
apex of the pullback square w W Wi W w,.Ow W Wi. Similarly, cri when taken to the low 
point of the square, that is, where the locations in w,. are forgotten, the resulting heap is 
equivalent to 0-2. 

Modified Awkward Example Consider now the following variant of the Awkward 
example, due to Dreyer et al. llT4l : 

ei = letx<^ref(0) inAf.x := 0;/();x := l;/(); Ix and e2 = Af.f();fO; 1. 
The difference is that in the first program x is written to and the call-back function is 
used twice. Interestingly, however, the solution given for the Awkward example works 
just fine. We can prove semantically that the type of the program e\ has the same type 
as before in the Awkward example, where the only writes allowed on abstract location 
assigned for x is to write one. Therefore, if / has effect of writing on the region r, it will 
set X to one. 

Callback with Lock Example We now show equivalence of the following programs, 
also due to Dreyer et al. |.14J : 
?i - let Z7<;=ref (true) in let ji[:<^ref(0) in e2 - let /7<^re£(true) in let x'J=re£(0) in 
</l/.i£ !fethen {Af .i£ \b thesx 

(b :- false; /(); x :-\x + l;b :- true) (b :- false; letn^lx in/(); 

else 0, /i_.!x> x :- n + l;b :- true) 

else 0, A..lx) 

Both programs produce a pair of functions, one incrementing the value stored in x and 
the second returning the value stored in x. The boolean reference b serves as lock in 
the incrementing function. Once this function is called the value in b is set to false 
and only after calling the call-back, the value in x is incremented is b set again to true. 
However, the implementation of the increment function is different. While the program 
to the left calls the call-back function /() and then increments the value of x using the 
value stored in x, the program to the right remembers (in n) the value of x before the 
call-back is called and then uses it to increment the value stored in x. 

Assume that x and b are in the footprint of the same abstract location (I) in the region 
r. We show that these programs are equivalent under the type 
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(unit — > unit) — > unit) x (unit unit) & air, s, 
where s may contain the effects wrr, rdf. In particular, the location I is specified as fol- 
lows: its footprint consists only of the concrete locations storing x and b, written 1^ 
and \x, while its rely-condition is equality. The more interesting is its guarantee con- 
dition (I''), which contains the following idempotent functions fi for / e N: /i(h) = h 
if h(lfe) = false and fi(h) - h' if h(l/,) = true, where h'(l.i.) - i if h(l.i.) < / and 
h'(l t) - h(l t); moreover, the value of b is unchanged, that is, h'(l/,) = h(li). It is easy to 
check that these functions are idempotent as well as their composition. 

First, notice that indeed the two functions above have type wr, as the increment of 
X is captured by using some write function fi and moreover b is true. Now, to show 
that the two programs above are equivalent, we need to show that the value stored in x 
before and after the call back is called is the same. This is the case, as even if wr, e s, 
the value stored in b is false, which means that any function /j used will leave the 
concrete locations storing x and b untouched. 

Notice that if the read function also called the call-back, then the reasoning above 
would break, as the call-back could modify the value stored in x because b is true. 

7 Conclusions 

We have laid out the basic theory of proof-relevant logical relations and shown how they 
can be used to justify nontrivial effect-dependent program equivalences. We have also 
shown that proof-relevant logical relations give direct-style justifications of the Pitts- 
Stark-Shinwell equivalences for name generation. For the first time it was possible to 
combine effect-dependent program equivalences with hidden invariants allowing "silent 
modifications" that do not count towards the ascription of an effect. Earlier accounts of 
effect-dependent program equivalences II19I5I4I6I30I do not provide such possibilities. 

Proof-relevant logical relations or rather the sets |Aw| where A is a semantic type 
bear a vague relationship with the model variables ifTTl from "design by contract" ll23l 
and more generally data refinement [25 1. The commonality is that we track the seman- 
tic behavior of a program part with abstract functions on some abstracted set of data 
that may contain additional information (the "model"). The difference is that we do not 
focus on particular proof methods or specification formalisms but that we provide a 
general, sound semantic model for observational equivalence and program transforma- 
tion and not merely for functional correctness. This is possible by the additional, also 
proof-relevant part of the semantic equality proofs between the elements of the models. 
We also note that our account rigorously supports higher-order functions, recursion, and 
dynamic allocation. 

Our abstract locations draw upon several ideas from separation logic f28l, in par- 
ticular footprints and the conditions on rely/guarantee assumptions from [32|. Intrigu- 
ingly, we did not need something resembling the "frame rule" although perhaps the 
77-quantification over larger worlds in function spaces plays its role. 

Pullback-preserving functors and especially the instantiation sets of locations are 
inspired by FM-sets lITSl or rather the Schanuel topos to which they are equivalent (see 
Staton |29 1 for a comprehensive account). The instantiations other than sets of locations, 
as well as the use of setoids for the "values" of these functors rather than plain sets is 
original to this work. 

We would like to have a semi-formal format that allows one to integrate semantic 
arguments with typing and equality derivations more smoothly. We would also like to 
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allow proof-relevant partial equivalences in the Heap PER instantiation, which essen- 
tially amounts to the ability to store values with proof-relevant equaUty. In particular, 
this would allow us to model higher-order store with some layering policy f9l. For un- 
restricted higher-order store as in [30' , but with abstract locations, one would need to 
overcome the well-known difficulties with circular definition of worlds. Step-indexing 
PI is an option, but we would prefer a domain-theoretic solution. The formal simi- 
larity of our abstract locations with the rely-guarantee formalism [12 32] suggests the 
intriguing possibility of an extension to concurrency. 

We also believe that update operations governed by finite state machines 1 1 1 can be 
modelled as an instance of our framework and thus combined with effect-dependency. 
The application of our general framework to effects other than reading, writing, alloca- 
tion deserves further investigation. 

Indeed, we feel that with the transition to proof-relevance we have opened a door to 
a whole new world that hopefully others will investigate with us. 
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A Online Appendix 



This appendix contains some additional technical material that was omitted from the 
main body for space reasons. In particular, Section |AT| contains standard details on 
semantics of values and computations as well as of domain theory. Section |A!2] elabo- 
rates the Setoids theory, introducing the definition of Isomorphic pullbacks and contains 
more properties of p.p.f. In Section lA31 a third instantiation, more complex than the sets 
of locations, but simpler than Heap PERs can be found. Section IA!41 contains most of 
the machinery necessary to establish the Fundamental Theorem. Finally, Section IA.5I 
contains further applications of our setting. For instance, we prove the soundness of a 
number of re-writes, such as the communting equation, duplication elimination, pure 
lambda-hoist, etc. We also prove the soundness of the Masking rule and discuss the 
loop-unrolling example in ||3T1 . 

A.l Syntax and Semantics 

Predomains A predomain is an w-cpo, i.e. a partial order with suprema of ascending 
chains. A domain is a predomain with a least element, ±. Recall that / : A ^ A' is 
continuous if it is monotone x <y ^ f{x) < f(y) and preserves suprema of ascending 
chains, i.e., /(sup, x,) = supi f(xi). Any set is a predomain with the discrete order If 
X is a set and A a predomain then any / : X — > A is continuous. A subset f/ of a 
predomain A is admissible if whenever (a,)/ is an ascending chain in A such that a,- e U 
for all /, then sup,- a, e U, too. If / : X x A ^ A is continuous and A is a domain then 
one defines /' (x) = sup,- /^( J-) with fx(a) - fix, a). One has, /(x, /' (x)) = p{x) and if 
t/ c A is admissible and f : X x U ^ U then f^:X—> U, too. We denote a partial 
(continuous) function from set (predomain) A to set (predomain) Bhy f : A —r B. 
Semantics The untyped semantics of values and computations is given by the recursive 
clauses in Figure|5j note the overloading of semantic brackets for constants, values and 
computations. The notation rjix) stands for the /-th projection from 77 e V if x is x, and 
7/[xi->v] (functionally) updates the i-th slot in 77 when x = x,. 

= r]{x) 

Mri = M 
F(vi,V2)l77 = (^v,^77, M'7) 

[rv./]l77 = d,if;= 1,2, Mn^idud2) 
l^rec f X = t\\ri = fi^n(g'^ if), where g(7/, u) = Ad. WtWT;[fi-^fun(ii), xi-^d] 

M77h = (h, Ml) 

\\if V then t2 else fsflTyh = p2]l?7h if Wv'^j] = mt(z), ztO 

pf X then t2 else fs]];? = pafl/yh if Wv^r/ = mt{0) 

petx<=?i infaflT/h, = _L, when pi]];; h = _L 
Wletx<=ti inf2]l77h = p2]l'7[Jci-»;/] hiwhen pi]l?7h = (hi,M) 
Wlv'ilr] h = (h, h(l)), when = locQ) 
f[v, := vjflT? h = (h[lh^M'7], inm\ if hiHu = loc(\) 
Wre£{v)-]\rj h = «ew(h. Ml) 

ir^'11'7 - int(0), otherwise 
WtWrj h = (h, int{0)), otherwise 

Fig. 5: Semantics of the untyped meta language 
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A.2 Setoids 

More on dependency We should explain what continuity of a dependent function like 
t(-, -) is: if (x,), and (y,), and are ascending chains in A with suprema x,y,z and 
Pi G A(xi, yi) and <7, e A(y,, z,) are proofs such that (x„ y,, and (y,, z,, (7,), are ascend- 
ing chains, too, with suprema {x,y,p) and (y,z,q) then {xi,Zi,t{pi,qi)) is an ascending 
chain of proofs (by monotonicity of t(-, -)) and its supremum is (x, z, tip, q)). 

Formally, such dependent functions can be reduced to non-dependent ones using 
pullbacks, that is t would be a function defined on the pullback of the second and first 
projections from {(x,y,p) \ p € A(x,y)] to \A\, but we find the dependent notation to be 
much more readable. 
Isomorphic pullbacks 

Definition 15. Let W he a category of worlds. Two pullbacks w' and w^O^,w' are 
isomorphic if there is an isomorphism f between the two low points of the squares so 
that vf = u and V f = u', thus also uf~^ = v and u'f~^ = v'. 

It is easy to see that pullback squares can be composed. 

Lemma 3. Given a category of worlds W, such that w, w', w" e W, i/w^O^w' and 

W ^,<>y, w" are pullback squares as indicated then there exist z,z'j,t' such that w^'^O^y ^' 
is also a pullback. 

Proof Choose z, z', t, t' in such a way that ^,0^ and "'^OJ", are pullbacks. The verifica- 
tions are then an easy diagram chase. □ 
Pullback squares can be decomposed as formally described below. This property is 
used for instance in the definition of fibred setoids, formalizing our notion of semantic 
computation. In particular, to formalize that the executions of related computations do 
not depend on each other. 

Lemma 4. A pullback square ^O^! in a category of worlds is isomorphic to t{\0\, ^.lof ). 
Pullback-preserving functors 

Lemma 5. If A is a p.p.f, u : \n ^ \n' and a, a' e Aw, there is a continuous function 
Avi'{u.a,u.a') — > Avi{a,a'). Moreover, the "common ancestor" a of a and a' is unique 
up to ~. 

Note that the ordering on worlds and world morphisms is discrete so that continuity 
only refers to the Aw'{u.a, u.a') argument. 

Definition 16 (Morpliism of functors). If A,B are p.p.f, a morphism from A to B 
is a pair e — (eo,ei) of continuous functions where eo ■ Hvj.Avj — > Bw and e\ : 
n\N.n\N' .Fix : w W .ria e Aw.IIa' e Aw' .Aw' (x. a, a') —> Bw'ix.eoia), eo(a')). A 
proof that morphisms e, e' are equal is given by a continuous function ji : IJw.IJa e 
A\N.Bw(e(a), e'ia)). 

These morphisms compose in the obvious way and so the pullback-preserving functors 

and morphisms between them form a category. 

More on S (A) and fibred setoids If ^O^! and ^O^, are two composable pullback squares 
with composite ^^O^]", and p e S (A) ^,0"^,(a, a') and € S(A)^ol,(a',a"), then the 
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composite proof of ts(A)(p,p') e S iA)~^^Ol,^^,(a,a") is given by tA(z-p,z'.p')- Indeed, 
if w = cod(z) is the apex of the composite square then z-p e Aw{zx.a,zx' .a') and 
z'.p' 6 Awiz'y.a^z'y'.a") and zx' .a' - z'y.a' since zx' = z'y so the two proofs compose 
in Aw. 

Lemma 6. Let T be a fibred setoid. The elements t given by pullback preservation are 
unique up to ~. Ifu : w — > w' is an isomorphism then there is a continuous function Tu : 
Jw — > Tw' and it is bijective up to ~ with inverse T(u^^). If O and O' are isomorphic 
pullback squares then there are continuous back and forth functions IJt.IJt' .T<>(t, f) — > 
TO'it, f). 

Lemma 7. If A is a p.pf and T is a fibred setoid then in order to specify a morphism 
from S (A) to T with given first component /o : IIvj.Avj — > Tw it is enough to provide 
a continuous function /05 : n^,W .Fix : w w'.IIa 6 Aw.IIa' € Aw' .A\N'(x.a,a') -> 
r[Oi(/o(fl),/o(a'))- 

Proof If (f),f\) is a morphism we can define /0.5 by fu.six, p) - f\(x, a, a' , p) noting 
that p e 5'(A) jOj.(fl,fl')- Conversely, given /0.5 to define f\ we pick a pullback square 
w^O,yW' with apex w and a e Aw, a' e Aw' and p e Aw(x.a,x'.a'), i.e., a proof in 
S{A)<>(a,a'). Applying /0.5 to r(-) yields the morphism pi e T'^<>\.(f)(a),fQ(x.a)y, 
moreover, applying /0.5 to s(p) yields p2 e T"[ol,(fo(a'), foix.a)). Then, t{pi,s{p2)) G 
Tt{\<>\, JO] ){fo{a), fo{a')) so that Lemmas|4]and|6]yield the desired proof in the square 
T:0-';(fo(a),fo(a')). 

The second part of the lemma about equality is just a restatement of the definition 
of equality of morphisms of fibred setoids. □ 

Lemma 8. Let A, B be p.p.f For every morphism e : A ^ B there is a morphism 
S(e) : S (A) — > S (B) such that S (e)o = cq. Thus, in particular S (-) is a full and faithful 
functor from the category of p.p.f. on W to the category of fibred setoids over W. 

On abstract heaps The definition of minimal puUback-pre serving functor corresponds 
to the p.p.f. used for values, but is used for abstract heaps. In particular, an abstract 
heap at the low-point of a pullback square is the result of forgetting locations from an 
abstract heap at its apex. 

Applying the definition of minimal ppf to the trivial minimal pullback "O^, plus 
nonemptiness, yields the following result. 

Lemma 9. For every u : w w' and cr e Sw there is morphism of setoids Sw — > Sw' 
which is right inverse to (-).m. 

The "unique up to ~" clause allows us in particular to assert the — equality of two 
abstract stores cr, cr' e Qw by proving cr.x ~ cr'.x and cr.x' ~ cr' .x' separately when 
yO'^, is a minimal pullback with apex w. 
A.3 Computational model 

We now discuss a third instantiation of our framework, which captures the setting 
developed in 1 5 1 . 

Flat stores The fiat stores instantiation assumes that heap locations contain merely 
integer values and no pointers. Possible worlds are finite sets of locations together with 
a function that associates each location a region taken from a fixed set Regs of regions. 
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World morphisms must preserve this tagging. We write I € w and I e w(r) to mean that 
I occurs in w and with region r in the second case. Abstract stores Sw comprise those 
heaps h e H with dom(h) 2 w and such that I e w and h e Sw impHes that h(l) is an 
integer value, int{v) for v e Z (thus all locations hold integer values). We put h ~ h' 
in Sw iff for all I e w one has h(l) - h'(l). In this case there is a unique proof, say 
For morphism m : w ^ w' we define Sm : Sw' — > Sw by renaming concrete locations 
according to u. The elementary effects are rdr, wr,, air representing reading from within, 
writing into, allocating within a region r. The associated sets of relations are given by 

R e 'Rirdr) <^ (cr, cr') e /?w ^ VI e w(r).a-(l) = o-'(l) 

R e "Riwrr) <^ (cr, cr') 6 /?w ^ VI € w(r).Vv e Z. ^ (cr[li-^/nf(v)], o-'[\t-^int(v)]) e Rw 
ReHial,) (cr, cr') E TJw Vwi.Vm E I(w,Wi).(dom(Wi) \ dom(w) c dom(Wi(r))) 

Vo"! E SWi, O-'j E Sw'j.CTi.M ~ O- A 0-\.U ~ cr'A 

VI E dom(Wi) \ dom(w).o-i(l) = o-\(\) (o-i,cr'j) £ Rwi 

This essentially mirrors the setting of our earlier relation-based account of reading, 
writing, and allocation with integer values stores [5 1 with the difference that allocation 
is modelled with relations on the same level as reading and writing and that the stores 
being related share the same layout. 

A.4 Proof-relevant logical relations In following establishes that the semantics of 
the monad corresponds indeed to a semantic computation, that is, a fibred setoid. 

Proposition 4. The semantic computation T^A as defined in Definition \T3\ is a fibred 
setoid. 

Proof The tricky case is to show the existence of a transitive operation. It is here 
that we require the independence of abstract locations as stated in Definition |9] which 
implies that S is also minimal-puUback-preserving. 

Assume that there are proofs in p\ : T^A'^J o'^' (c,c') and p2 '■ 7'eA'',^0j',"(c', c") 

where w''o\' w' and w' '"0\"W". We also have cr £ Sw and cr" £ Sw", such that they 
are equivalent in the pullback of the low points of these two pullback squares. Let q be 
such pullback. 

In order to use the proofs pi and p2, we need to construct from cr and cr" an abstract 
heap cr' £ Sw'. Let q be the minimal pullback over the apexes of the two pullback 
squares W|"^'0*,,'w' and w'^,JO,'?w". Then w and w" form a pullback square with apex 

q and low point q. Since S is minimal-pullback-preserving, there is a crq e Sq, such 
that it is equivalent to cr and cr" when taken to the world q. We now define cr' e Sw' 
to be o-q taken to the world w'. We thus have cr' e Sw', and cr" e Sw", such that 
cr.vi ~ cr'.v'i and cr'.Vj ~ cr" ■^2- 

We can now use the pi and p2- In particular, let c(cr) = (Wi, mi, cri, Vi), c'(cr') = 
(w'j , Mj , cr'j , v'j ), and c"(cr") = (w'j', m'/, cr'j', v'j'). From the proofs, we get two pullback 
squares Wi Ow'j and w'j Ow'j'. It is easy to show that the values obtained are equal in the 
minimal pullback over the apexes of these two pullback squares and that the abstract 
heaps are equivalent in the pullback of their low points. □ 

Definition 17 (cartesian product). If (A, Ih^) and (B, ih*) are semantic types their carte- 
sian product (A X B, ih^^*) is defined by (A x B)vj - Aw x Bw (cartesian product of 
setoids) and (vi, va) IH^^^ (a, b) <=^ vi Ih^ a A V2 ll-^ b. 
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Definition 18 (function space). Let (A, ih'^) be a semantic type and (T, ih^) be a se- 
mantic computation. We define a semantic type (A=>r, Ih'*^''^) as follows. An object 
f of{A=^T)v/ is a pair (/o,/i) of continuous functions where fo assigns to each Wi 
and V : vj ^ vi\ a continuous function /o(v) : Awi Twi. The second com- 
ponent fi assigns to each v : w ^ Wi and vi : Wi — > W2 a continuous function 
naeA\Ni.na' e Aw2.Aw2(v,.a,fl') ^ r"jo'//o(v,a),/o(viv,a')). 

If f,f' e |A=>r| then a proof fi € (A^T)(f,f') is a continuous function assigning 
to each v : w — > Wi and a e Awi a proof ^{v, a) € r[o[(/o(v, a),/Q(v, a)). 

If u : \N -> \n' and f = (/(),/i) e (A=>r)w then u.f e (A=>r)w' w gjven Z?}' 
precompositionwith u, i.e., (u.f)()(v,a) - /o(vm, a), etc. 

As for the realisation relation ih'^^^ we put v H-^"^^ / to mean that v - fun(g)for 
some g and whenever j : w — > Wi is an inclusion and u ii-^^ a then g(u) ii-^^ f{i, a). 

Notice that unlike morphisms the elements of the function space are not identified if 
they are "provably equal." Notice also that if v ih^^^ / imphes v ihj^^^ i.f whenever 
J : w ^ Wi is an inclusion. 

In what follows we define semantic counterparts to the generic syntactic construc- 
tions common to all instantiations, namely application and abstraction, sequential com- 
position, subeffecting, and recursion that allow us to define this interpretation of deriva- 
tions in a compositional fashion. Having given these semantic counterparts we then 
omit the formal definition of the interpretation [[-J. 

Lemma 10 (Abstraction). Let F, A be semantic types, T a semantic computation. There 
is a function A so that if e : Sir x A) — > T is a morphism of fibred setoids then 
A(e) : Sin A^T. Moreover, if e ~ e' then A{e) ~ A{e') and iff ih^x^^^ e then 
Ar].Aa.fiT],a) 11-^-^=*?' Aie). 

Lemma 11 (Application). Let A be a semantic type and T be a semantic computation. 
There is a morphism app : S{{A^T) x A) ^ J and A{f,a).f{a) \v.((^^t)xA)^t 

Lemma 12 (subeffecting). Let F, A be semantic types and s, e' be effects. There is a 
function subeff, so that if e : S{F) — > T^A, then subeff(e) : S{F) — > T^^i^A. Moreover, 
ife ~ e', then subeff(e) ~ subeff(e')- Finally, iff n-^"*''"^ e then f ii-^-*^^^^"^ subeff(e). 

Proof For the first component, subeffQ, we use the same first component cq of e. 
What changes is the definition of the second component, subeff^. It is defined only for 
relations R e Kis U e'), for which ei is also defined. For some related given abstract 
heaps in R, subeff i calls ei constructing the corresponding puUback. For proofs the 
reasoning is similar. □ 
We eUde assertions about — versions of beta-eta-equality, and the existence of "value 
morphisms" of type S (A) T^A for any semantic type A. 

Lemma 13 (let). Let F,A,B be semantic types and e an effect. There is a function let 
such that ifei : S (F) — > T^A and 62 : 5 (F x A) — > T^B are morphisms then let{e\, 62) : 
S{F) TgB. Moreover, if e\ ~ e'^ and e2 ~ e'^ then let{e\,e'i) ~ let{e'^,e'^. Finally, if 
fx Ih^^^"^ ei andfi ii-^X'^"*^''^ ei then Arj.Ah.let ihuv)=fiiT])iU) in f2iT],v)ihi) ih^^^^A 
let{e\,e2). 
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Proof Consider the following definition for the first component of the morphism 
/e?(ei, 62) which is only defined when ci and 62 are defined. The type of this component 
is |[r]]w r^IBIw. Hence, assume a world w, and a context y e |[r]]w, then one 
returns an object (Co, Ci) e Te^BJ^n. The first component Co is: Hw.IIy e irjw.ncr 6 
Sw.e2(Wi)(y, Vi)cri where ei(w)(7)cr = (Wi,Mi,cr[,Vi). 

For the second component, Ci, assume a relation R e !R(e), and two abstract heaps 
cr,cr' e Sw such that (cr, cr') 6 /?w. Fromei wegetaproofWi'',|o,^,'w'[, whereei(w)(y)cr = 
(Wi,Mi,cri,Vi) and ei(w)(7)cr' - (\n[,u[,o-[,v[), such that (o-i.vi,o-[.v\) € R and 
p : |[A]]Wi'(;ci.Vi,x'j.Vj). Applying 62 on cri.vi and cr'j.v'j we get a proof q2^^0^?q2, 
such that {(f2-V2, o^i' ■v'2) e R- However, we need to show that the heaps obtained from 
applying 62 on cri and cr[ (using the correct world and context), namely 0-2 and cr^, are 
related. For this we rely on the morphism (62)1- In particular, we use (62)1 on the pull- 
back Wi ^JOj' Wi and obtain a pullback W2 Oq2 such that 0-2 and <f2 are equal in its low 

point. Similarly, applying (62)1 on the pullback Wi *jo', w'j, we get a pullback qliOWj, 
where cf2' is equal to in its pullback. Using Lemma [3] we compose the pullbacks 
W20q2, q20q2 and qjOWj, obtaining a common pullback q, where 0-2 and cr^ when 
taken to q are in R. 

The morphism let{e\,e2) ~ let{e\,e'^ can be then defined when e\ ~ e\ and e2 ~ e'^ 
are defined. Assume a pullback w[o[w and an abstract heap cr e Sw and a con- 
text -y € |[r]|w. Using the morphism between ei and e'j on these objects, we ob- 
tain a pullback Wi^|0|^,'Wj, pi e |[A]wr(xi.Vi, jc'j.v'i) and ^1 : cri.vi ~ cr'j.v'j, where 
ei(w)(y)<T - (Wi,Mi,cri,Vi) and ej(w)(y)cr - (w\,u\,o-[,\/[). From the pullback pre- 
serving property of computations and pi, there is a common value v e [[AJWi and con- 
text y E |[r]Wi which are equal, respectively, to Vi and Vj, and y and y' (when taken 
to the correct world). We then construct a proof [[/" x Ajwi. We now apply twice the 
morphism between 62 and once in the pullback Wi OWi and another on the pullback 
Wi Ow'j, obtaining two pullbacks W20q2 and q20W2. From Lemma[3] we can compose 
them where the resulting values and heaps are equal. □ 

Lemma 14 (fix). Let F, D be semantic types so that for each w the predomain Dw is a 
domain with least element ±w such that (±w, ±w, r(±w)) < (d, d' , p) holds for every 
proof p e D{d, d') and such that x.±^ — holds for every x : w — > w'|3 

; There then exists a function fix so that whenever e : FxD ^ D thenfix(e) : F ^ D 
a If e ~ e' then fix(e) ~ fix(e'). Furthermore, the fixpoint and unrolling equations 

from Lemma [T4\ hold. 
Hi Finally, iff 11-^^^^^ e then f' Ih fix(e). 

Proof For every w we have eow : Fw x Dw — > Dw. We can thus form^x(e)oW := 
(eow)^ : F\N — > Dw. It remains to define ^.jc(e)i. To do that, we recall that we have 
an ascending chain of elements fix"{e)oVj(y) e Dw given by fix^(e)oVj(y) — ±w and 
_^x"^'(e)()W(y) - eQW(y,fix!^(e)QW(y)) and have ^;c(e)oW(7) = sup„^x"(e)oW7'. Now 
suppose that y E Fw and x : w ^ w' and y' E Fw' and p E F\N'(x.y,y'). Write 
dn = fix^'^iy) and d'„ = fix^v/'iY). Inductively, we get proofs p„ e Dw'{x.d„, d'„) where 
po = r(±w') (note that x.±w - J-w) and p„+i = eiip,p„). Since (x.±w, J-w, K-^-w)) ^ 

' For example D = A^T^B for semantic types A, B. 
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(x.t/i, t/'p Pi) we obtain by monotonicity of ei and induction that {x.d„,d[^,p„) is an as- 
cending chain with supremum (x. sup,, d„, sup„ d'„, q) for some proof q which we take as 
fix(e)\{p). Note that the passage from p to <7 is continuous. □ 
A.5 Applications 

The following lemma formalizes our intuition that 

Lemma |2] Proof The proof that the values are equal in w follows directly from the 
definition of computations and effects. 

For the first part, we use the following relation R defined for all worlds Wi, such that 
M : w -> Wi: 

{(cr, a-') I a- ~rds(£,w) cr' A VI € W. 

(cr.M, (To) e I* A {cr' .u,cr'f^) 6 I* V {o-.u,cr' .u) 6 I*) 
Otherwise, for the worlds W2 not reachable from w, the relation RSN2 is the trivial set. 
Notice that R e 'R{e) and it is contravariant. The claim then follows directly. 

The proof of the second part follows in a similar fashion, but we use the following 
relation: 

{(cr, cr') I cr ~ids(£,w) cr' Act ~m„s(B.\N) ctq.m) 
And we use a similar relation for showing that cr,', and cr'j.M' agree on the not written 
locations nwrs(s, w). 

For the third property, first, we show that there is an isomorphism between w(r) and 
w(r) for all regions r i als(r) by using the following relation: 

{(0-,0-') I cr ~ 0-' A Vr ^ als(e).#r(cr),#r(o-') < #r(w)} 

where #, denotes the number of abstract locations coloured with r. Clearly, R e 'R{s) as 
e does not contain any allocation effects. This gives us one direction, while the other 
direction is obtained by using the inclusion morphisms. Given this property, one can 
easily construct the function c'. □ 

Proposition 5. (commuting computations) Suppose that: F \- ei : ti & si and F h €2 : 

T2 & £2, where rds(ei) n wrs(e2) - rds(e2) n wrs(ei) - wrs(ei) n wrs(e2) = 0- Let 

e - \e.X x<^e\ ir\.lety^e2 iT\(x,y) and e' = lety<;=e2 in let x<=ei in (jic,y) 
then [r h e : Ti X r2 & si U £2! ~ I-T h e' : Ti X T2 & fii U £2]- 

Proof Assume a world w and a context 7 e |[r]w. Let c,- = [r h e, : t, & e,J for 
i = 1,2. 

It is enough to assume a pullback wjo[w, and an abstract heap cro € Sw. Assume 
that these functions are defined as follows: 

Cl(w)(7)cro = (WWWi,Mi,cri,Vi) 

C2(W W Wi)(mi. 7)0-1 = (W W Wi W W2, U2, 0-2,^2) 

C^(w)(y)cro = (W W W'j , u\ , cr'j , v'j ) 

Cj(W 1+) W2)(Mj .7)cr'j = (W l±l w'j W Wj, Mj, crj, Vj) 

One can easily show that when one of these functions is undefined, then the correspond- 
ing function is also undefined. 

We need to show that there is a proof w W Wi W W2|!0^,'w i+i w'j W Wj such that 
p : cr2.y ~ cr^.y' and p\ : xu2M\ ~ x' n'^ and p2 '■ XN2 ~ x'u'^N'y Decompose w - 
Wo W qi tt) q2, where w(wrs(£,)) c q,. The existence of such decomposition follows from 
the disjointness of write effects in e\ and E2- 

From Lemma|2]and from the disjointness of reads and writes, it is the case that cro 
and cr'j agree on the locations in Wo W qi. That is, there is a proof p : cro.l ~ cr'j.xi, 
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defined using the proof Wo W qf'jo'.^Wo W qi W Wj, where xi : Wo W qi -» Wq W qi W Wj. 
Applying (ei)i to the objects above, we get the pullback Wo W qi W Wi^^O^rWo W qi W 
Wj W w'j, and proof q : X2.V1 ~ -'C2-V2- Symmetrically, we obtain the proofs Wo W q2 W 
W2^^0^i'Wo W q2 W w'j fei Wj, and q' : X3.V2 ~ XyV[. Hence, there is also a proof in the 
larger world codix). 

To see informally that the final heaps 0-2 and cr'^ are equal, we use the following 
facts obtained using Lemma|2] cro and crj agree on the locations in Wq W qi; moreover, 
cr'2 and cTi agree on the locations in Wo W qi; hence 0-2 and cr'^ agree on the locations 
in Wo W qi. Symmetrically, we can also argue that 0-2 and cr^ agree on the locations in 
Wo W q2- Composing these proofs (see comment after Lemma |9] why this is allowed), 
we get that cro and cr'^ agree on the locations in w. Finally, since the locations allocated 
by one computation are not used by the other computation, the final heaps are equal at 
the apex world. □ 

The following propositions are also provable. All propositions are proved in a sim- 
ilar way as the soundness proof of the commuting case, using Lemma|2]when needed. 
For instance, the soundness proof of the duplicated computation uses the third case in 
Lemma|2] 

Proposition 6 (dead computation). Suppose that The: unit & s, that wrs(e) = 
and that [r h e : unit & e]w(y)(cr) is defined for all \N,y e [rjw, cr e Sw. Then if 
for all worlds W, all contexts y e I-TIw, and abstract heaps cr 6 Sw, the function 
\r h el(w)(y)(cr) is defined, then [r h e : unit & e] ~ [r h () : unit & e\ 

Proof Assume a world w and a context y € [rjw. Let c - [r h e : t & e]. It is 
enough to assume a pullback wjo[w, and an abstract heap ctq € Sw. Let c(w)(7)cro = 
(w, 1, cTi, Vi). We need to construct a pullback such that Vi is equivalent to () in its apex 
and (Ti is equivalent to ctq in its low point. Consider the pullback Wi ',<>" w. Clearly 
Vi = 0, and therefore the values are equivalent in W]. Moreover, from the fact that 
wrs(e) = 0, (Ti and ctq agree on all locations in w. Hence, a-\ .u ~ ctq, which finishes the 
proof. n 

Proposition 7 (duplicated computation). Suppose that F \- e : t & s and suppose 
that rds(£') n wrs(£) — als(e) — 0. Thus, e reads and writes on disjoint portions of the 
store and makes no allocations. The the terms e\ and e2 below 

let jic<^e in (jc, jc) and let x<^e in lety <;=e in (jic,y) 

are contextually equivalent. That is formally h ei : t X t & sj ~ h e2 '■ t X t & ej. 

Proof Assume a world w and a context y e IFJw. Let c - |[r h e : t & e]. It is 
enough to assume a pullback w[o[w, and an abstract heap ixo e Sw. From Lemma|2] 
and since these functions do not allocate, we can assume that they do not cause any 
world extension and are therefore defined as follows: 

c(w)(y)cro = (w, 1,0-;, Vi) and c(w)(y)cri - (w, l,cr2,V2). 

We need to show that the values Vi and V2 are equivalent and the heaps cri, obtained by 
applying once e, and 0-2, obtained by applying twice e, are also equal. 
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Decompose w = Wq W Wr W w,,,, where contains all the regions read by e and w„ 
all the regions written by e. This is possible because of the disjointness of of e's read 
and write effects. From Lemma|2]and the disjointness of e's read and write effects, we 
have that ctq and cr\ agree on the regions read by e, that is, ctq ~i-ds(£,w) cr\ . Hence, again 
from Lemma |2] we have that the values Vi and V2 are equal. Moreover, the locations in 
w„. are equaly written, while the locations in Wo W w,- are left unchanged, that is, a-\ and 
cr2 agree on the location in w. □ 

Proposition 8 (pure lambda hoist). Suppose that T h e : Z & and F, x:X, y.Z h e' : 
Y & s Let e\ and e^ be respectively Xx\&X y <^e ine' and let y <= e in Ax.e'. Then 

[r h ei : (X A F) & 0] ~ ir h 62 : ^ i') & 01- 

Proof Assume a world w and a context y e |[/"lw. Let c = \r \- e : t &. and 
c' - \r, X : X,y : Z \- e' : T & e^. It is enough to assume a pullback w[o[w, and an 
abstract heap ctq e Sw. Since e has no effects, we have no world extension: 

c(w)(r)o-() = (w, 1,0-;, v'l) 

Moreover, from Lemma|2] a-\ and ctq agree on all locations. We now show that 
ir h Ax.le^y^e ine'{x,y) : {X Y)J ~ |[r h Ax.e'{x,M\) : (X 7)1 

In order to prove this, assume a morphism v : w ^ Wi and a e IXJWi. We need then 
to prove that the computations resulting from applying a to the functions above are 
equivalent in the pullback Wi jo|wi. For this, assume an abstract heap cr e Swi. Since 
e has no effect, we have no world extension: 

C(Wi)(7)cr = (Wi, 1,0-1, Vi) 

c'(Wi)(y,fl,Vi)o-i = (W2, 1,0-2, V2) 
c'(Wi)(7,fl,v;)o- = (w^, 1,0-;, V2) 

Since e is pure, we have Vi - v.v[ and from Lemma|2]we have that cri and cr agree on 
all locations in Wi and in particular on locations read by e'. Hence, again by Lemma|2] 
the pullback proof exists where 0-2 and o-'j are equal in its low point and the resulting 
values are equal in its apex. □ 
Masking We now justify soundness of the masking rule shown below: 

r h f : T & e r ( regs(r) U regs(T) 

— — — ; Masking 

r\-t:T&e\{rdr,wrr,alr} ^ 

which allows one to mask effects, that is, allowing it to behave closer to pure functions. 
As discussed in |4|, as the effect-dependent equations can be applied only if some con- 
ditions on the set of effects is satisfied, the masking of effects may enable the use of 
such equations. (See the commutation computation equation.) 

Assume that for for every set of regions R, we take a different instantiation Wr 
where all abstract locations get colors from R. Within Wr we can interpret app, lambda, 
fix, etc. If R c R' and X is a semantic type over Ww denote X\R its restriction to Wr. 
In our setting, we prove of the soundness of the masking rule by providing morphisms 
between the objects in W« and objects in W^- when restricted to R, where R c R'. 
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Body of Loop 


Proloj 






Steady Program 


Epilogue 




X : = load (p) ; 


pi : 


= p; 




store (pi, y) ; [wr,J 


store (pi , 


y) ; [wrr, 


y : = X * c; 


p2 : 


= p; 




pi := p2 + 8; 


Y := x2 * 


c; 


store (p, y) ; 


xl : 


= x; 




y := x2 * c; 


store (p2 , 


y) ; Iwr,^ 


P := P + 8; 


x2 : 


= x; 




xl := load(pl); [rdr,] 


x : = x2 ; 




i := i + 1; 


xl : 


= load (pi ) ; 




store (p2, y) ; [wrrj] 


P := p2; 






p2 : 


= pi + 8; 




p2 = pi + 8; 








x2 : 


= load (p2 ) ; 


: [rd,J 


y = xl * c; 








y : = 


X 1 * c; 




y = load (p2) ; [rdrj 








i : = 


i + 2; 




i := i + 2; 







Fig. 6: Program obtained from the loop unrolling technique. Here p, pi and p2 are pointers and 
all load and store operations are on 64 bit numbers (float). 

This corresponds in our setting to the Masking Lemma in (|4] and is formalized by 
introducing the notion of matching pairs: Let X be a semantic type over and X' 
be a semantic type over Wr'. The two form a matching pair if there are morphisms 
i . X X'\R and j : X'\R ^ X both tracked by the identity on the level of values and 
isomorphisms w.rt. ~. The idea is that if t only mentions regions in R then [t]] with 
respect to R and J[tJ with respect to R' will be a matching pair. 

Suppose that w e Wr. If cr e Sw then, since w can be viewed also over R', we can 
understand cr as living in Wr' . Conversely, if w e Wr' and cr € Sw, then we also have 
0" G <Zw\R by coarsening. This is because if cr satisfies all the contracts in the larger 
worlds involving the regions R', then it also satisifies the contracts for the regions in the 
smaller set R. In fact, every world w e Wr' induces a world w\R e Wr. 

We now prove that if only regions from R are mentioned in r then |[t]]7? and [t]]/?' 
form a matching pair where denotes the interpretation with respect to Wr: Suppose 
that s mentions all of R' and that (F, F'), (A, A') are matching pairs and that e : — > 
TgA' is a morphism tracked by / : V — > C. There then exists a morphism mask(e) : 
r T^eIrA also tracked by / and if e ~ e' then maskie) ~ maskie'). 

Let the morphisms ip and jr due to the fact that {F, F') form a matching pair and 
iA and ja due to the fact that (A, A') form a matching pair It is then easy to prove 
the soundness of masking by using the morphism mask{e)w(j)(cr) = let (cri,y) <^ 
e(/Hr))(o") in(cri,;^(v)). 

Example: Loop Unrolling Loop unrolling is a software pipelining technique used to 
enhance the use of parallel processing. The idea is instead of iterating a loop in a se- 
quential manner, one attempts to process a number of iterations of the loop at the same 
time using multiple processors. 

As described in f3Tl implementing and proving the correctness of loop unrolling 
techniques is hard as one needs to demonstrate that the program resulting from loop 
unrolling that can be executed in parallel is equivalent to the original sequential pro- 
gram. We briefly illustrate the power of our system with regions and effects by one 
of the running examples in [31 1. Consider a loop program whose body is depicted in 
Figure |6] Intuitively, this program is multiplying all the elements of an array of float 
values by the value c. Clearly, instead of executing this program sequentially, we can 
execute different iterations in parallel. In particular, after applying the loop unrolling 
optimization to a program, one obtains a program that is divided in three parts: the pro- 
log, that initializes all the variables, the steady state, that is iterated, and the epilogue, 
that is executed when the loop condition is no longer true and the loop is over. Figure |6] 
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contains the program obtained by loop unrolling two iterations of the program above. 
The Prolog and the Epilogue are executed at the beginning and the end, respectively, 
while the Steady Program may be executed several times. 

The task is to show that the optimized program is equivalent to the sequential pro- 
gram above. Using the unrolling equations from Lemmas [14] we can unroll the loop 
twice (n = 2) and extract a prologue. We can then conclude with effect-dependent 
equivalences, in particular Prop. |5]as follows. We use two regions ri and r2. All even 
elements of the array, that is, p, p + 16,p + 32, belong to the region ri, while 
all odd elements, that is, p + 8,p + 2 4, p + 4 0, belong to the region r2. Given 
this setting, the read and write effects are as shown in Figure|6] It is now a simple exer- 
cise to show that any execution of the optimized program is equivalent to an execution 
of the sequential program. For instance, any instruction with a read effect on ri can be 
permuted so that it appears immediately before the following instruction with write ef- 
fect ri on the same region rj . This is possible because the only effect between these two 
instructions is a read on the other region r2. The same is true for permuting instructions 
that read on r2. 



31 



